04May2018
Information
Print

Joomla, jQuery and PCI compliance

Information
jQuery
First published May 04, 2018
2242 hits - No rating
 
Joomla, jQuery and PCI compliance

PCI-DSS (Payment Card Industry Data Security Standard) is a set of security standards that websites have to follow in order to be able to process credit card transactions.

Generally, a third-party security assessor conducts the tests and generates a PCI compliance report, examining the physical infrastructure of the website, its access and potential code vulnerabilities.

The Joomla! platform is more secure than ever but third-party extensions and vendors may still have code issues that may need to be addressed.

I have been contacted recently by several clients about issues that did arise in their compliance reports concerning jQuery, while using Joomla and e-commerce extensions like Virtuemart.

It turns out that the latest Joomla uses a version of jQuery (v1.12) that contains 2 vulnerabilities that fail PCI compliance.

Those vulnerabilities are:

  • jQuery is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed,
  • jQuery is vulnerable to Denial of Service (DoS) due to removing a logic that lowercased attribute names. Any attribute getter using a mixed-cased name for boolean attributes goes into an infinite recursion, exceeding the stack call limit.

The solution usually suggested is to update jQuery to v3.0+.

A dilemna arises then:

jQuery has not issued fixes for those vulnerabilities in the v1.12 branch (that branch does not receives patches anymore), forcing sites to move to jQuery 3+, and Joomla, packaging jQuery v1.12 internally, will probably not update its version of jQuery to v3+ until the release of Joomla 4 (mostly due to compatibility issues with current scripts, Bootstrap v2.3.2 and existing sites).

One possible solution, if your public template does not require Bootstrap 2.3.2, is to install and enable jQuery Easy to try and set jQuery to v3+ (find a reference below teaching you how you can do that). You will need to analyse your site, watching the browser console closely, and try different versions of Migrate (v3.0.1 and v1.4.1) to identify incompatibilities.

In my tests, I have found that often scripts fail because of the jQuery browser property, removed in jQuery v1.9. Using Migrate v1.4.1 fixes that issue.

Note Simplify Your Web is not PCI compliant and does not need to be, since it is not storing or manipulating credit card information and is outsourcing PayPal as a third-party payment system, which is PCI compliant.

References